Follow-up report on the risk assessment of Information and Communications Technologies (ICT) under the Supervisory Review and Evaluation Process (SREP), the European Banking Authority announced yesterday.
The monitoring report shows that relevant authorities have made significant progress in strengthening ICT risk assessment, which is largely due to the implementation of the Digital Business Resilience Act. At the same time, it notes, further work and continued investment is needed to ensure consistent and effective oversight of ICT risk across the European Union.
The follow-up exercise examined the recommendations issued to competent authorities in 2022, including a targeted follow-up on relevant benchmarking questions. It assessed progress in light of the implementation of the DORA Regulation from January 2025 and the forthcoming integration of the ICT SREP Guidelines into the revised SREP Guidelines – one of the key recommendations of the 2022 report. In carrying out this assessment, the Authority relied mainly on relevant supervisory convergence work.
The findings confirm that competent authorities are strengthening their supervisory capacity and expertise in the ICT sector, increasingly using horizontal analyzes and applying systematic supervisory tools. In terms of assessment criteria, there has been an improvement in the use of ICT risk subcategories, which are now widely applied by almost all authorities.
Overall, the report encourages competent authorities to fully integrate ICT risk methodologies and ICT risk subcategories into supervisory processes, alongside ongoing efforts to strengthen supervisory convergence and operational resilience across the EU.